Flowise has Insufficient Password Salt Rounds
Description
Description
The default bcrypt salt rounds is set to 5, which is below the recommended minimum for security.
Affected
Code `` export function getHash(value: string) { const salt = bcrypt.genSaltSync(parseInt(process.env.PASSWORD_SALT_HASH_ROUNDS || '5')) return bcrypt.hashSync(value, salt) } ``
Evidence
Using 5 salt rounds provides 2^5 = 32 iterations, which is far below the OWASP recommendation of 10 (2^10 = 1024 iterations) for bcrypt. This makes password hashes vulnerable to brute-force attacks with modern hardware.
Impact
Faster password cracking - in the event of database compromise, attackers can crack password hashes significantly faster than with proper salt rounds, potentially compromising all user accounts.
Recommendation
Increase default PASSWORD_SALT_HASH_ROUNDS to at least 10 (recommended by OWASP). Consider using 12 for better security-performance balance. Document that higher values increase login time but improve security.
Notes
The default bcrypt salt rounds is 5 (line 6), which provides only 2^5=32 iterations. OWASP recommends minimum 10 rounds (1024 iterations) for bcrypt. While configurable via PASSWORD_SALT_HASH_ROUNDS env var, the default matters because: (1) most deployments use defaults, (2) existing password hashes at 5 rounds remain vulnerable even if later increased. With modern GPUs, 5 rounds allows ~300,000 hashes/second vs ~10,000/second at 10 rounds - a 30x difference in cracking speed. In a database breach scenario, all user passwords could be cracked significantly faster. The same weak default is used in resetPassword (account.service.ts:568). This is a cryptographic weakness with real-world impact on password security.
Detection Method: Kolega.dev Deep Code Scan
| Attribute | Value | |---|---| | Severity | Medium | | CWE | CWE-916 (Use of Password Hash With Insufficient Computational Effort) | | Location | packages/server/src/enterprise/utils/encryption.util.ts:5-7 | | Practical Exploitability | Medium | | Developer Approver | faizan@kolega.ai |
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flowisenpm | < 3.0.13 | 3.0.13 |
Patches
Vulnerability mechanics
Root cause
"Default bcrypt salt rounds set to 5 (32 iterations), far below the OWASP-recommended minimum of 10 (1024 iterations), making password hashes computationally cheap to crack."
Attack vector
An attacker who gains access to the password hash database (e.g., through a SQL injection or server compromise) can crack passwords far more quickly because the default bcrypt cost factor is only 5, yielding just 32 iterations [CWE-916][ref_id=1]. With modern GPUs, 5 rounds allows approximately 300,000 hashes per second versus roughly 10,000 per second at the recommended 10 rounds — a 30x speed advantage [ref_id=1]. No authentication or special network position is required once the attacker possesses the hash database; the weakness is purely in the cryptographic work factor of the stored hashes [CWE-916].
Affected code
The vulnerable code is in `packages/server/src/enterprise/utils/encryption.util.ts:5-7` [ref_id=1]. The `getHash` function calls `bcrypt.genSaltSync(parseInt(process.env.PASSWORD_SALT_HASH_ROUNDS || '5'))`, defaulting to 5 salt rounds when the environment variable is not set [ref_id=1]. The same weak default is also used in `resetPassword` at `account.service.ts:568` [ref_id=1].
What the fix does
The advisory recommends increasing the default `PASSWORD_SALT_HASH_ROUNDS` to at least 10 (the OWASP minimum) and preferably 12 for a better security-performance balance [ref_id=1]. No patch is shown in the bundle, but the remediation is straightforward: change the fallback value from `'5'` to `'10'` (or higher) in the `getHash` function and the `resetPassword` function [ref_id=1]. Simply raising the default does not re-hash existing passwords, so deployments should also plan to re-hash stored passwords on next login to fully close the vulnerability [ref_id=1].
Preconditions
- inputAttacker must obtain the password hash database (e.g., via SQL injection, server compromise, or backup leak)
- configThe target deployment must use the default PASSWORD_SALT_HASH_ROUNDS value of 5 (most deployments use defaults)
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.